Skip to content

Fix server URL in openapi.json from "http://badapitest.com" to "http:… #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
riosengineer merged 22 commits into from
Jun 18, 2025
Merged

Fix server URL in openapi.json from "http://badapitest.com" to "http:… #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1d2d6d0
Fix server URL in openapi.json from "http://badapitest.com" to "http:…
riosengineer Jun 14, 2025
8bddf3f
Refactor Spectral linting workflow to improve error handling and outp…
riosengineer Jun 14, 2025
10a5a32
Remove unused repo_token from Spectral Linting step in workflow
riosengineer Jun 14, 2025
f5af12a
Add permissions section for pull requests and tidy up spectral lintin…
riosengineer Jun 14, 2025
6e12a2d
Remove permissions section for pull requests from Spectral linting wo…
riosengineer Jun 14, 2025
a5d9475
Add complete OpenAPI specification for BadAPI with detailed paths and…
riosengineer Jun 14, 2025
4fca0f1
Remove Spectral linting workflow configuration
riosengineer Jun 15, 2025
8052719
Fix GitHub Actions repository access issue
riosengineer Jun 15, 2025
3ea44d0
Update OpenAPI specifications for BadAPI and Secure Pet Store API
riosengineer Jun 15, 2025
867ea6c
Refactor Spectral linting workflow to use stoplightio/spectral-action…
riosengineer Jun 15, 2025
a7ef154
Remove unnecessary id from Spectral linting step in workflow
riosengineer Jun 15, 2025
3f0d1d8
Enhance README.md for clarity and detail on Spectral linting benefits…
riosengineer Jun 15, 2025
f78238c
Refactor Spectral linting workflow by removing the validate-examples …
riosengineer Jun 15, 2025
08658db
Update README.md to clarify test command output expectations for secu…
riosengineer Jun 15, 2025
de36aec
Update README.md to specify adherence to OpenAPI specification in gov…
riosengineer Jun 15, 2025
d47bf94
Remove "Why Spectral" section from README.md for improved clarity and…
riosengineer Jun 15, 2025
d2b3b44
Update README.md to correct OpenAPI v3 recommended ruleset reference …
riosengineer Jun 16, 2025
122c1d1
Enhance OpenAPI specifications by adding SearchUsers endpoint and ref…
riosengineer Jun 16, 2025
41539ba
Add custom rules section to Spectral rules overview in README.md
riosengineer Jun 16, 2025
5e3b2a2
Update README.md to clarify Spectral config includes custom rules
riosengineer Jun 16, 2025
648ba36
Update README.md to enhance installation instructions for Spectral CL…
riosengineer Jun 16, 2025
6a7bec7
Fix formatting in README.md note about adding `yml` file extension in…
riosengineer Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 7 additions & 37 deletions .github/workflows/spectral.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Spectral API Linting
name: Spectral API Linting

on:
pull_request:
Expand All @@ -9,6 +9,11 @@ on:
- 'apis/**/*.json'
- '.spectral.yml'

permissions:
contents: read
checks: write
pull-requests: write

jobs:
spectral-lint:
name: Run Spectral Linting
Expand All @@ -18,7 +23,6 @@ jobs:
- name: Checkout Code
uses: actions/checkout@v4
with:
# Full git history is needed for proper file change detection
fetch-depth: 0

- name: Spectral Linting
Expand All @@ -27,38 +31,4 @@ jobs:
file_glob: 'apis/**/*.{yml,yaml,json}'
spectral_ruleset: '.spectral.yml'
repo_token: ${{ secrets.GITHUB_TOKEN }}
validate-examples:
name: Validate API Examples
runs-on: ubuntu-latest

steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'

- name: Install Spectral CLI
run: npm install -g @stoplight/spectral-cli

- name: Validate Good Example
run: |
echo "Validating good example should pass..."
if spectral lint apis/good-example/openapi.yml; then
echo "✅ Good example passes as expected"
else
echo "❌ Good example should not have any linting errors"
exit 1
fi

- name: Validate Bad Example
run: |
echo "Validating bad example should fail..."
if spectral lint apis/bad-example/openapi.yml; then
echo "❌ Bad example should have linting errors for demonstration"
exit 1
else
echo "✅ Bad example fails as expected (this is good for our example)"
fi
continue-on-error: true
12 changes: 11 additions & 1 deletion .spectral.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,11 @@
extends: [["spectral:oas", "recommended"], "https://unpkg.com/@stoplight/spectral-owasp-ruleset/dist/ruleset.mjs"]
extends: [ [ "spectral:oas", "recommended" ], "https://unpkg.com/@stoplight/spectral-owasp-ruleset/dist/ruleset.mjs" ]

rules:
request-GET-no-body:
description: "A 'GET' request MUST NOT accept a 'body' parameter"
severity: error
given: $.paths..get.parameters..in
then:
function: pattern
functionOptions:
notMatch: "/^body$/"
75 changes: 31 additions & 44 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,28 @@
# 🔍 Spectral OpenAPI Linting Demo

This GitHub repository will showcase how Spectral linting can help align your API specifications to best practices with OpenAPI V3 and security by adhering to OWASP rules.
This GitHub repository demonstrates how Spectral linting can help align your API specifications with OpenAPI V3 best practices whilst enhancing security through adherence to OWASP rules.

In this repository, I've included an `apis/` folder which contains good and bad specifications (`.yml` and `.json` formats) that you can use to run spectral linting and see the results.
## 🛡️ About This Repository

By including spectral linting, you'll shift-left governance, security and best practices for your API specs - you may not even be running any linting or checks at all. This repository will showcase why this is important and how powerful spectral can be as part of your CI process for your API and DevOps teams.
This repository includes example API specifications in both good and bad forms (`.yml` and `.json` formats) to demonstrate how Spectral linting works in practice.

Lastly, I've included a GitHub Action that will run the spectral linting on a pull request, which you can test by forking the repository and making a change (e.g. changing a description and checking the action output). However, as this is a demo repository, I've also included a validation step in the workflow so that you can run `act` locally (allows GitHub Actions to run locally via Docker) to see the results from your local machine, without GitHub also! (Mostly because it's a really awesome tool and this was an excuse to use it :D)
By incorporating Spectral linting into your development workflow, you can:

- 🛡️ **Shift-left security** - Catch API vulnerabilities before they reach production
- ⚖️ **Enforce governance** - Ensure all APIs follow your organisation's standards and adhere to OpenAPI specification
- ✨ **Maintain consistency** - Apply best practices across all your API specifications

Whether you're currently using API linting tools or not, this repository showcases how powerful Spectral can be as part of your CI process, providing immediate benefits for both your API and DevOps teams through automated validation that keeps your API specifications secure, consistent, and high quality.

This demo includes a GitHub Action that runs Spectral linting on every pull request. You can test it by forking the repository and making a change (e.g., updating a description and checking the action output).

## 📁 Repository Structure

```text
├── .github/
│ └── workflows/
│ └── spectral-lint.yml # GitHub Actions workflow for PR checks
├── .spectral.yml # Spectral config (OAS + OWASP rules)
├── .spectral.yml # Spectral config (OAS + OWASP rules + Custom)
├── apis/
│ ├── good-example/
│ │ ├── openapi.yml # ✅ Secure API (YAML format)
Expand All @@ -26,18 +34,28 @@ Lastly, I've included a GitHub Action that will run the spectral linting on a pu

## 🚀 Getting Started

Check out the official [docs](https://stoplight.io/open-source/spectral).

Here's how to get up and running with Spectral linting:

1. **Install Spectral CLI**:
1. **Install Spectral** via CLI or VS Code Extension:

**Option 1: CLI Installation**

```bash
npm install -g @stoplight/spectral-cli
npm install -g @stoplight/spectral-cli
```

**Option 2: VS Code Extension**
Install the [Spectral VS Code Extension](https://marketplace.visualstudio.com/items?itemName=stoplight.spectral) for real-time linting on type or save.

> [!NOTE]
> You will need to add the `yml` file extension in the extension settings.

2. **Test it out** - Run these commands to see Spectral in action:

```bash
# Test the secure API (should pass clean)
# Test the secure API (should pass)
spectral lint apis/good-example/openapi.yml

# Test the secure API in JSON format
Expand All @@ -54,10 +72,11 @@ Here's how to get up and running with Spectral linting:

This setup uses a powerful combination:

- **OpenAPI v3 recommended rules** (`spectral:oas`) - Catches common API design issues using OpenAPI V3 recommended ruleset
- **OpenAPI v3 recommended rules** (`spectral:oas, recommended`) - Catches common API design issues using OpenAPI V3 recommended ruleset
- **OWASP API Security rules** - Validates against real security vulnerabilities
- **Custom Rules&** - Included is an example custom rule which you can create to adhere to your specific organistions styling and standards

Check out [docs/spectral-rules.md](docs/spectral-rules.md) and [spectral-owasp-ruleset](ruleset) for the complete rule breakdowns.
Check out [docs/spectral-rules.md](docs/spectral-rules.md) and [spectral-owasp-ruleset](ruleset) for the complete rule breakdowns. You can create your own [https://docs.stoplight.io/docs/spectral/01baf06bdd05a-create-a-ruleset](custom rules).

## 📋 Examples

Expand All @@ -72,39 +91,7 @@ Both examples ship in **YAML** and **JSON** formats. These are demo API specific

**❌ Bad Example** (`apis/bad-example/`):

- **113 problems** (32 errors, 81 warnings) - Shows spectral linting catching a bad example specification
- **33 errors, 116 warnings** - Shows spectral linting catching a bad example API specification
- 🚫 **Security vulnerabilities** highlighted from OWASP rulset
- 📚 **Educational goldmine** help hightlight bad practices
- 📚 **Educational goldmine** help hightlight bad practices in an API spec
- ⚠️ **HTTP servers, credentials in URLs, missing security** - all the facepalm security issues to show spectral working to help keep your specifications secure before it hits `main`

## 🧪 Testing GitHub Actions Locally

Want to test the spectral `validate-examples` GitHub Action before pushing? You can use `act` locally to run the action to validate.

### Prerequisites

1. **Docker Desktop** - Make sure it's installed and running
2. **Install act**:

```powershell
# Using winget (recommended)
winget install nektos.act

# Or using Chocolatey
choco install act-cli
```

### 🚀 Running the Test

Navigate to the repository root and run:

```powershell
# Test only validation
act pull_request --job validate-examples
```

### 📊 Expected Results

- **✅ validate-examples job**: Should run clean
- Good example: 0 errors, 0 warnings ← Perfect!
- Bad example: 113 problems (32 errors, 81 warnings) ← This is what we want! Showcasing the spectral linting working.
Loading
Loading